Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
802
Views
1
Helpful
6
Replies

How IPSec VPN works

bijay.swain
Level 1
Level 1

‎03-19-2023 08:35 AM


Commands Used for IPSec VPN :

crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 2.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

crypto ipsec ikev1 transform-set TSet-1 esp-aes-256 esp-sha-hmac

--------------------------------------------------------------

IPSec VPN :Phase-1 Main Mode

message 1 -Security association proposal
message 2 -Security association Response
message 3 -DH Key Exchange and NAT Detection
message 4 -DH Key Exchange and NAT Detection
message 5 -Preshared Key Exchange by initiator (Encrypted)
message 6 -Preshared Key Exchange by responder (Encrypted)

IPSec VPN :Phase-2 Quick Mode
message 1 - ?
message 2 - ?
message 3 - ?

----------------------------------------------------


Question 1: Is is correct that "crypto ikev1 policy 1" is for Phase-1 and "crypto ipsec ikev1 transform-set TSet-1" is for Phase-2 ?

Question 2: Is it correct that phase 2 parameters(proposal) is shared in Quick mode messages ? what is the content of 3 Quick mode messages?

Question 3: Does IPSec vpn use Asyemtric encryption where public key and private key is used ?

Question 4: If we are using aes-256 which is symectric then how Ipsec uses asymetric ?

Question 5: Preshared key is used to authenticate the two devices not as a key for encryption/decryption is it correct ?

Question 6: Where DH group is used ? Key generated by DH is used for what (Is is used as a key for aes-256) ? if yes then how aes-256 is symentric ?

Question 7: Can one side using NAT and other not using NAT be connected through IPSec VPN ? if yes who will be using what port nos (500/4500) ?

 

Labels:
0 Helpful
6 Replies 6

MHM Cisco World
VIP
VIP

‎03-19-2023 09:56 AM

Question 1: Is is correct that "crypto ikev1 policy 1" is for Phase-1 and "crypto ipsec ikev1 transform-set TSet-1" is for Phase-2 ? Correct 

Question 2: Is it correct that phase 2 parameters(proposal) is shared in Quick mode messages ? what is the content of 3 Quick mode messages? not only Quick but also in Main Mode 

Question 3: Does IPSec vpn use Asyemtric encryption where public key and private key is used ? depend one auth PSK or RSA 

Question 4: If we are using aes-256 which is symectric then how Ipsec uses asymetric ? this Need to check 

Question 5: Preshared key is used to authenticate the two devices not as a key for encryption/decryption is it correct ? Correct and also the PSK is used as Seed for new Key of encrypt/decrypt 

Question 6: Where DH group is used ? Key generated by DH is used for what (Is is used as a key for aes-256) ? if yes then how aes-256 is symentric ? relate to Q.4 this Need to check 

Question 7: Can one side using NAT and other not using NAT be connected through IPSec VPN ? if yes who will be using what port nos (500/4500) ? one Side use NATing  and other not use NATing. this case can happened but I dont get your Q about port?

0 Helpful

bijay.swain
Level 1
Level 1
In response to MHM Cisco World

‎03-19-2023 10:22 AM

Hi MMH

Q7 : in this case is both port 500 and 4500 used .

0 Helpful

MHM Cisco World
VIP
VIP
In response to bijay.swain

‎03-19-2023 10:42 AM

No, both will use 4500 if one side behind NAT device. 

0 Helpful

Rob Ingram
VIP
VIP
In response to MHM Cisco World

‎03-19-2023 10:55 AM - edited ‎03-19-2023 11:05 AM

@bijay.swain both UDP 500 and UDP 4500 will be used.

The initial IKE communication will always start using UDP/500, if NAT is detected then communication changes to use UDP/4500 for all encrypted traffic.

RobIngram_0-1679249066640.png

 

MHM Cisco World
VIP
VIP
In response to Rob Ingram

‎03-19-2023 11:19 AM

And in end what they use, they will use both 4500, 

He ask if one side will use 4500 and other will use 500 and I reply both side will use 4500.

Check his Q above 

0 Helpful

bijay.swain
Level 1
Level 1

‎03-19-2023 11:28 AM

is there any document to know the exact process used by IPSec VPN like from creating tunnel to actual data transfer step by step.

Or Can anyone clarify every protocol role in each step like once SA proposal is shared and accepted next which protocol is doing what activity.

IF below protocols are agreed upon

crypto ikev1 policy 1
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400

tunnel-group 2.1.1.2 ipsec-attributes
ikev1 pre-shared-key *****

crypto ipsec ikev1 transform-set TSet-1 esp-aes-256 esp-sha-hmac

1st msg is Proposal sharing
2nd msg is sharing accepted proposal
3rd mgs is dh key shring and nat detection (where this dhkey will be used)
4th msg is dh key shring and nat detection (where this dhkey will be used)
5th msg is authenticating deivce with preshared key (msg is encrypted by which encryption method and which key is used for encryption and decryption)
6th msg is authenticating deivce with preshared key (msg is encrypted by which encryption method and which key is used for encryption and decryption)

Phase 2 Quick mode
1st msg
2nd msg
3rd msg
Is again proposal sharing is done for phase 2 in the above 3 msgs

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card